Description:
Under certain environments it is possible to experience the following problem in the CA Mainframe Software Manager UI when attempting an action from the Software Catalog that tries to access CA Support Online (CA SO).
Error: An error occured trying to connect to CA Support Online. java.net.SocketException: java.security.NoSuchAlgorithmException: SSLContext Default implementation not found:
When viewing the CA Mainframe Software Manager tomcat log you will see a message like:
DEBUG ..... (ConsumeSC.java:106): IO Error was detected during PAS processing. ... java.security. NoSuchAlgorithmException: SSLContext Default implementation not found:
Solution:
This error is related to the java runtime security for SSL connections.
In the CA Mainframe Software Manager runtime data set SAMPLIB(MSMLIB), note the USS path specified for "export JAVA_HOME=".
Using this as the parent directory, locate the lib/security subdiretory in USS. There is a java.security file with a section header "List of providers and their preference orders (see above).". This section should closely resemble these entries:
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2 security.provider.2=com.ibm.crypto.provider.IBMJCE security.provider.3=com.ibm.security.jgss.IBMJGSSProvider security.provider.4=com.ibm.security.cert.IBMCertPath security.provider.5=com.ibm.security.sasl.IBMSASL security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider security.provider.8=org.apache.harmony.security.provider.PolicyProvider security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
If you notice an entry that is similar to the following:
security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCAthen you may have implemented a hardware ICSF keystore as the default keystore for the java runtime.
If you want to determine if this is the case, edit the MSMLIB member to add an option which dumps keystore information:
-Djavax.net.debug=true
After restarting the CA Mainframe Software Manager Tomcat server, look for an output line like:
keyStore type is: jks
"jks" is the default keystore with which CA Mainframe Software Manager will successfully establish http SSL connections.
If you see a keyStore.type=jceccaks, that is indicative of a hardware ICSF keystore and most likely the root cause of the exception logged in CA Mainframe Software Manager.
The jceccaks keystore type may have been implemented with IBM EKM tape encryption.
To change the default keyStore back to "jks", please consult your z/OS system programmer.
Additional references:
ftp://public.dhe.ibm.com/s390/java/jsse/JSSEzOSRefGuide.html http://www-03.ibm.com/systems/z/os/zos/tools/java/faq/javasecurityfaq.html http://www.redbooks.ibm.com/redbooks/pdfs/sg247610.pdf